'Night Dragon' attacks: Another reason to care about consumer malware

When security experts talk about "securing critical infrastructure," they often talk about the direct threats, but you rarely hear anyone mention securing websites and consumer PCs. Yet success in cleaning up the Web and the endpoints is just as important.

Starting in November 2009, covert cyberattacks were launched against several global oil, energy, and petrochemical companies. The attackers targeted proprietary operations and project-financing information on oil and gas field bids and operations. This information is highly sensitive and can make or break multibillion dollar deals in this extremely competitive industry.

McAfee has identified the tools, techniques, and network activities used in these attacks, which continue on to this day. These attacks have involved an elaborate mix of hacking techniques including social engineering, spear-phishing, Windows exploits, Active Directory compromises, and the use of remote administration tools (RATs).

This was a sophisticated effort that likely was coordinated or sponsored by a government, a large corporation, or a well-organized criminal group. So what does this complex, targeted attack against energy companies have to do with consumer malware? The answer, it turns out, is plenty.

Attacks like Night Dragon require specialized tools, expertise, and experience. The group behind Night Dragon needed to find -- or in some cases build -- backdoors, command & control servers, and other malware components. They had to apply figure out which SQL injection attacks would work effectively without detection. They needed the resources and the knowledge of how to purchase (likely with fake/stolen credentials) web hosting accounts around the world. And they needed to know how to put it all together into something that would work.

If an organization had to start from scratch to acquire all this, it would be a nearly insurmountable task. But, of course, they don't. And one of the main reasons they don't is because there's a robust criminal malware ecosystem already in place for them to draw upon. According to McAfee's more detailed report, Night Dragon relied on several off-the-shelf components for their dirty work. Probably they found them in the same forums used by the people that inject drive-by downloads into unsuspecting consumer and small business websites. Whoever built the custom components for Night Dragon probably learned their trade through the criminal underground. Or, perhaps, the component was outsourced to someone currently in the criminal underground.

That criminal underground has developed around desktop malware, phishing, and spam of the kind that consumers and businesses deal with every day. This criminal activity has been successful enough over time to support an entire economy. We're beginning to see the ripple effects of such an economy in attacks like those on Google last year and this more recent spate of espionage. When policymakers and security experts talk about "securing critical infrastructure," they often talk about the direct threats, but you rarely hear anyone mention securing websites and consumer PCs. Yet success in cleaning up the Web and the endpoints might be as important for defending high-profile targets as developing the targets' own defenses.

* Maxim Weinstein is executive director of StopBadware, a non-profit anti-malware organization based in Cambridge, Massachusetts.